THE CITY OF NEW YORK 
OFFICE OF THE COMPTROLLER 


INTERNAL CONTROL AND ACCOUNTABILITY DIRECTIVES 


DIRECTIVE #1: PRINCIPLES OF INTERNAL CONTROL 


INTRODUCTION 


Internal Control must be an integral part of agency management in satisfying the agency’s 
overall responsibility for successfully achieving its assigned mission and assuring full 
accountability for resources. In addition, effective internal control over the financial activities 
at the agency level is the foundation for ensuring the reliability of the City of New York’s 
accounting systems and financial reporting. 


Internal Control is defined by the United States Government Accountability Office (GAO) as a 
process affected by an entity's management and designed to provide reasonable assurance 
regarding the achievement of objectives for reliability of financial reporting, effectiveness and 
efficiency of operations, and compliance with applicable laws and regulations. 


This Directive outlines the principles of a sound and effective financial control system that 
should be adopted by the City and its agency management and staff. It is consistent with the 
internal control framework adopted by The Committee of Sponsoring Organizations of the 
Treadway Commission (COSO) in its Internal Control — Integrated Framework. 


The Directive also reaffirms and enhances the Office of the Comptroller’s requirement for the 
filing of an annual Agency Financial Integrity Statement. The Office of the Comptroller 
releases, on an annual basis, a Comptroller's Memorandum titled Filing of Comptroller’s 
Directive #1 Financial Integrity Statement, and the accompanying annual Financial Integrity 
Statement Checklist. 
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The principles of effective internal control have been covered in the detailed Checklist 
questions that are part of the Agency Financial Integrity Statement. The Office of the 
Comptroller considers the subject matter covered by the questions to be criteria that agency 
management should follow in maintaining a reliable and effective system of internal controls. 
The Audit Bureau of the Office of the Comptroller may, therefore, choose to audit the 
information presented by agencies in their annual Agency Financial Integrity Statements. 


This Directive is issued pursuant to the authority of the Office of the Comptroller as provided 
in Chapter 5, Section 93 of the New York City Charter. 
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1. GENERAL INFORMATION 
1.1 Effective Date 


This Directive is effective immediately. 


1.2 Assistance 


Questions or comments concerning this Directive should be addressed via Technical and 
Professional Standards Unit Email (directives@comptroller.nyc.gov); by telephone at: 
(212) 669-3675; or by mail to: The Office of the Comptroller, Attention: Technical & 
Professional Standards Unit, Bureau of Accountancy, David N. Dinkins Municipal 
Building, One Centre Street, Room 200 South, New York, NY 10007. 


1.3 Comptroller’s Internal Control and Accountability Directives 


An inventory of existing Comptroller’s Internal Control and Accountability Directives is 
available on the Comptroller’s Website. 


2. GENERAL CHARACTERIZATION 


Internal control is a fundamental component in the successful financial accountability of any 
public or private entity. Effective internal control provides a necessary and continuing 
surveillance over the various processes, plans and procedures that are the foundation for which 
management relies upon to successfully achieve the purpose, goals and objectives of the 
agency while maintaining appropriate financial accountability for the organization's activities. 
In addition, internal control serves as the first line of defense in safeguarding assets and help 
preventing or detecting errors and fraud. 


Internal control should provide reasonable assurance that the objectives of the agency are 
being achieved in the following categories: 


e Effectiveness and efficiency of operations including the appropriate use and safeguarding 
of all resources. 

e Reliability of financial reporting including reports on budget execution, financial 
statements, and other reports for internal and external use. 

e Compliance with all applicable laws and regulations. 


A subset of these objectives is the safeguarding of all assets. Internal controls should be 
designed to provide reasonable assurance in respect to the prevention or prompt detection of 
unauthorized acquisition, use or disposition of an agency's assets. 
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3. FUNDAMENTAL CONCEPTS 


The following fundamental concepts provide the underlying framework for designing and 
applying the standards of an effective internal control environment. 


3.1 


a 


Continuous and Integral Component of Operations 


Internal control is a series of actions or activities that exist as a continuing built-in 
component of an agency's operations. In order to be effective, internal control must be an 
integral part of the overall management business and control system, and should be 
similarly supported by a reporting structure including objectives, problem identification 
and accountability. Similar to other operational responsibilities, internal controls should 
be periodically reviewed and redirected as deemed necessary. 


Requires Management and Staff Involvement 


All personnel in an organization play important roles in making internal control effective. 
As such, management must realize that their responsibility for internal control extends 
beyond that of just creating the system's structure and mechanisms. It is equally important 
to ensure the existence of a healthy and participatory internal control environment 
throughout the agency. Management and staff must understand and accept internal control 
as a normal day-to-day business function. 


3.3 Affords Only Reasonable Assurance 


It is important for management to ensure that the design and implementation of agency 
internal controls is based on justifiable cost and benefit relationships. In doing so it should 
be recognized that well-structured internal controls provide only reasonable, but not 
absolute assurance for the protection of an agency's operations. Factors such as employee 
mistakes, judgement errors, or collusion can occur and may not be detected despite the 
existence of appropriate internal controls. Management needs to balance the cost of 
establishing controls to prevent or detect inappropriate actions that could affect an 
agency's ability to satisfy objectives with the risk that such actions could occur and not be 
detected. 


It is equally important that the agency’s staff is informed of and understand the purpose of 
the internal control principles under which they are required to operate. Employees should 
question and/or appropriately challenge management direction when they believe they 
have been instructed to take an action in violation of existing internal control policy. As 
required by Mayoral Executive Order 16, every City employee has an affirmative 
obligation to report, directly and without undue delay, to the Commissioner of 
Investigation or an Inspector General any and all information concerning conduct which 
they know or should reasonably know to involve corrupt or other criminal activity or 
conflict of interest, (i) by another City officer or employee, which concerns his or her 
office or employment, or (ii) by persons dealing with the City, which concerns their 
dealings with the City. 
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Agency management, correspondingly, should not routinely bypass or override existing 
internal controls. In those rare instances where it is management's judgement that 
overriding policy or overriding an established control is fully justified, it must provide, 
for file purposes, complete justifying and signed documentation bearing the authorization 
of the next level of higher reporting authority. As an example, where an agency senior 
manager requests payment or reimbursement of a seemingly inappropriate expenditure, 
the justifying documentation would require the signature of the Agency Head prior to the 
voucher being processed for payment. 


4. STANDARDS OF CONTROL 


The following five control components outline the minimum level of quality acceptable in the 
development of an internal control system and provide the basis for which an agency's internal 
control may be evaluated. 


4.1 Control Environment 


A positive control environment is the foundation for all other standards of internal 
control. It should provide an obligatory discipline and structure while encouraging an 
understanding and acceptance of internal controls as a necessary element in the success of 
an agency operation. Several key factors contribute to a progressive control environment. 


e Maintaining and demonstrating an atmosphere of teamwork, integrity and ethical 
values, among management and staff, is an important environmental factor towards 
the success of business financial control. Agency management must play an active 
and visible role providing the leadership in this area, especially in setting the tone 
of the organization's behavioral values. Management's philosophy and operating 
style bear a significant influence on organizational values. 

e It is important that agency management and staff be provided with the required 
support necessary for them to accomplish their assigned duties, as well as understand 
the importance of developing and implementing sound internal control. Management 
must be alert to the various knowledge and skill levels required for the various staff 
assignments and should provide as needed on-the-job and internal/external training, 
as well as candid and constructive counseling and performance appraisals. Sound 
personnel policies and practices are also a critical factor in maintaining a motivated 
business financial control environment. 

e Another factor affecting the control environment is the organizational structure. It 
is management's framework for planning, directing and controlling operations to 
achieve agency objectives. A good internal control environment requires that the 
agency's organizational structure clearly defines key areas of authority and 
responsibility and establishes appropriate lines of reporting. The appointment of 
competent and respected staff management is vital as well as is a properly assigned 
management span of control with clearly defined lines of authority and 
responsibility. 
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4.2 


4.3 


44 


Risk Assessment 


Internal control should provide for an assessment of the risks the agency faces from both 
external and internal sources. A precondition to risk assessment is the establishment of 
clear and consistent agency objectives. 


Risk assessment is, basically, the identification, analysis and cost sizing of the relevant 
internal and external risks associated with achieving an agency's agreed upon objectives 
and includes the structuring of a plan to determine how these risks would be managed. As 
governmental, economic, regulatory and operating conditions continually change, agency 
management must be prepared to identify and deal with any special risks prompted by 
such changes. 


Management should comprehensively identify risks and should consider all significant 
interactions between the agency and other parties as well as internal factors and activities. 
Risk identification methods may include qualitative and quantitative ranking activities, 
management conferences, forecasting and strategic planning, and consideration of 
findings from audits and other assessments. The specific risk analysis methodology used 
can vary by agency because of the difference in agency missions and the difficulty in 
quantifying risk levels. Once risks have been identified, they should be analyzed for 
significance; likelihood for occurrence and management actions required (e.g., creation or 
enhancement of policies and procedures to minimize risk to achieving the agency's 
objectives). 

Control Activities 


Internal control activities help ensure that management's directives are carried out. They 
are, basically, the policies, procedures, techniques, and mechanisms used to enforce 
management's direction. They must be an integral part of an agency's planning, 
implementing, review and accountability for stewardship of its resources and are vital to 
its achieving the desired results. 


Control activities should exist at all levels and functions of an agency. They include a 
wide range of diverse activities such as approvals, authorizations, verifications, record 
reconciliations, open items aging, transaction analyses, performance reviews, security 
evaluations, and the creation and maintenance of related records that provide evidence of 
the execution of these activities. Examples of individual control activities are provided in 
Section 5. 


Information and Communications 


In order for an agency to successfully manage and control its fiscal operations, it must 
have a reliable and timely communications system that flows both vertically and 
horizontally throughout the organization. It must be structured to provide the pertinent 
information relating to internal as well as external events that can affect the unit's overall 
performance. 
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4.5 


Management requires both operational and financial data to determine whether they are 
meeting their agencies' strategic and annual performance plans as well as achieving their 
goals for the effective and efficient use of resources. For example, operational data is 
required for the development and understanding of financial reports. This covers a broad 
range of data on purchases, subsidies, and other business transactions to data on assets, 
inventories and receivables. Operating information is also needed to determine whether 
the agency is achieving its compliance requirements under pertinent laws and regulations. 


Financial information is needed for both internal and external purposes. It is required to 
develop financial statements for periodic external reporting and to make operating 
decisions, monitor performance, allocate resources and, most important, take necessary 
corrective measures, as necessary. 


Pertinent operational and financial information must be identified, routinely captured, and 
distributed in a form and time frame that permits people to perform their duties 
efficiently. In addition to disciplined internal communication standards, management 
should ensure that there are adequate means of communicating with, and obtaining 
information from, external third parties that may have a significant impact on the agency 
achieving its goals. 


In addition, effective information technology management is critical to achieving the 
useful, reliable, and continuous recording and communication of information. In 
accordance with Executive Order No. 140, the New York City Department of Information 
Technology and Telecommunications (DoITT) has been charged with the responsibility 
for establishing coordinated citywide policies for Information Technology and 
Telecommunications for the City of New York, and has established citywide policies and 


quidelines governing Information Technology and Telecommunications. 
Monitoring 


A sound internal control system must be supported by ongoing activity monitoring 
occurring at various organizational levels and in the course of normal operations. Such 
monitoring should be performed continually and be ingrained throughout an agency's 
operations. It should include appropriate measurements on regular management and 
supervisory activities, comparisons, reconciliations, and other actions taken by employees 
in performing their duties. Agency management must perform continual monitoring of 
activities and programs. Independent monitoring may be conducted by an agency's 
internal audit department, as well as by external auditors such as those of the New York 
City Office of the Comptroller, New York State Office of the Comptroller, and various 
federal agencies. 


Monitoring of internal controls should also include policies and procedures for ensuring 
that the findings of audits and other internal and external reviews are promptly resolved. 
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In addition to ongoing internal control monitoring, separate evaluations should be utilized 
to focus directly on a control's effectiveness in a specific time frame. The scope and 
frequency of separate evaluations should depend primarily on the assessment of risks and 
the effectiveness of ongoing monitoring procedures. Separate assessments may take the 
form of self-assessments as well as the review of control design and direct testing of 
internal controls (e.g., the Agency Financial Integrity Statement). 


Deficiencies found during ongoing monitoring or through separate evaluations should be 
communicated to the individual responsible for the function and to, at least, the next level 
of higher management. Serious matters should be reported to senior management and/or 
the Agency Head, if deemed appropriate. 


Recent audits performed by the Office of the Comptroller are replete with examples of 
serious internal control lapses that could have been alleviated or avoided by an agency's 
attention to these five basic components of acceptable internal control. Current and prior 
audit reports are available for review on the Office of the Comptroller website. 


5. INTERNAL CONTROL -—- EXAMPLES 


The following are examples of some basic internal controls and are an illustration of the range 
and variety of controls that may be useful to agency management. They are not meant to be 
all-inclusive and may not include particular activities that an agency may require. 


An agency's internal control system should be flexible and allow tailoring of its controls to fit 
its special needs. The specific controls used by a given agency may be different from those 
used by others due to a number of organizational factors including threats they may face and 
risks they may incur, differences in objectives, operational environment, and requirements for 
system reliability, availability and performance. 


5.1 


5.2 


Top Level Agency Performance Reviews 


Senior management should consistently track major agency business achievement 
indicators and compare them to agency plans, goals and objectives. Management should 
develop contingency plans and make adjustments as appropriate. Situations identified by 
audits or operational experience that bear the potential for significant monetary loss or 
risk to achieving agency objectives should be noted and discussed at this level of agency 
review. 


Management Review at Functional or Activity Level 


Management, throughout the organization, should be comparing actual functional or 
activity level performance data to planned or expected results, analyzing significant 
variances and introducing corrective action as appropriate. Key indicator tracking and 
self-assessment checklists are important tools in measuring the control posture of various 
functional activities. Tracking and aging mechanisms are crucial in those agencies that are 
responsible for collection of rents, taxes, fines, franchise fees and other types of revenue. 
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5.3 


5.4 


5.5 


5.6 


Workforce Management 


Effective management of an organization's workforce is essential to achieving desired 
results and an important part of internal control. Only when the proper personnel are on 
the job and are provided with the appropriate training, tools, structure, incentives, and 
responsibilities is financial operational success attainable. Management should ensure that 
skill needs are continuously assessed and that the organization is able to obtain a 
workforce that has the skills necessary to achieve organizational fiscal goals. 


Control Over Computer Information Processing 


A variety of control activities are used in information processing to ensure that access to 
hardware, software and data is limited to only those individuals that management has 
decided should have such access. Management should exert particular control to limit the 
access of consultants and other individuals who may not be employees of the City of New 
York, to their areas of interest only and for the period of time that is required for them to 
complete their authorized assignments. Other management approved controls are used to 
ensure that software performs the functions that it is intended to, and that processed data 
is accurate and reliable. 


Agencies should establish the appropriate controls when consultants and other individuals 
who are not employees of the City of New York, have access to Information Processing 
data, files and programs used in production in City-operated information systems, 
including the Financial Management System (FMS). Examples of such controls to be 
considered include performing background checks of the non-employees, use of 
confidentiality agreements, and appropriate supervision and monitoring by City 
employees. Approval by the Agency Head, or designee, of such access should be 
documented. Programming changes which may have been made by consultants should be 
thoroughly tested and approved by management before being put into production. Third 
party vendors who may process data on behalf of City agencies should be monitored by 
City management to ensure that the data is accurate and appropriately processed. 


Physical Control of Vulnerable Assets 


An agency must establish physical control to secure and safeguard vulnerable assets. 
Examples include security for and limited access to assets such as cash, securities, 
inventories, computers and other equipment, which might be vulnerable to risk of loss or 
unauthorized use. Periodic counting and comparison to control records for such assets is 
an important element of control of these assets. 


Performance Measures and Indicators 


Activities need to be established to monitor fiscal performance measurements and 
indicators. These controls could be comparisons and assessments relating different sets of 
data to one another so that analysis of the relationships can be made and appropriate 
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actions taken. Controls should also be aimed at validating the propriety and integrity of 
both organizational and individual performance measures and indicators. This is 
particularly important in measuring the performance of field personnel such as inspectors. 


5.7 Segregation of Duties 


Key duties and responsibilities need to be divided or segregated among different staff 
members to reduce the risk of error or fraud. This should include separating the 
responsibilities for authorizing transactions, processing and recording them, reviewing the 
transactions, and handling any related assets. No one individual should control all key 
aspects of a transaction or event. 


5.8 Proper Execution of Transactions and Events 


Transactions and other significant events should be authorized and executed only by 
persons acting within the scope of their authority. This is the principal means of assuring 
that only valid transactions to exchange, transfer, use or commit resources are initiated or 
entered into. Approved authorizations levels should be documented, updated as necessary 
and clearly communicated to managers and employees. 


Individuals who are not employees of the City of New York (e.g., community board 
members) should not be authorized to commit City resources or execute transactions on 
its behalf. 


5.9 Accurate and Timely Recording 


Transactions should be promptly recorded to maintain their relevance and value to 
management in controlling operations and decision making. This applies to the entire 
process or life cycle of a transaction or event from the initiation and authorization through 
its final classification in the agency's records. Sound control activities help ensure that all 
transactions are timely and accurately recorded. 


5.10 Access Restrictions to Records and Resources 


Access to agency resources and vital records should be subject to appropriate limitations 
and accountability for their custody and use should be clearly assigned and maintained. 
Periodic comparison of the resources with the recorded accountability should be made to 
reduce the risk of errors, fraud or misuse or unauthorized alteration. 


5.11 Appropriate Documentation of Transactions and Internal Controls 


All transactions and significant events need to be clearly documented and the 
documentation readily available for use or examination. Internal controls should be 
documented in management administrative policies or operating manuals. All 
documentation should be properly managed and maintained in accordance with updated 
records retention schedules. 
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6. AGENCY FINANCIAL INTEGRITY STATEMENT 


As noted previously, the Office of the Comptroller releases, on an annual basis, a 
Comptroller's Memorandum entitled Filing of Comptroller’s Directive #1 Financial Integrity 
Statement, and its accompanying annual Financial Integrity Statement Checklist. 


The Agency Head (e.g. Commissioner, First Deputy Commissioner, Executive Director, etc.) 
is required to sign the Financial Integrity Statement, which represents a formal opinion 
regarding the adequacy of the agency's internal control structure. This opinion is supported by 
the Directive #1 Checklist that agency personnel are required to complete. As mentioned 
earlier, the Office of the Comptroller considers the Directive #1 Checklist questions to 
represent basic internal control criteria that agency management should follow in maintaining 
a reliable and effective control system. 


The Audit Bureaus of the Office of the Comptroller may therefore choose to audit the annual 
agency Financial Integrity Statement responses (which would include the Directive #1 
Checklist, any required attachments, and supporting documentation that would be available at 
agency sites) as part of the Comptroller's mandated audit responsibilities under Chapter 5 
Section 93 of the New York City Charter. 


Two copies of the Financial Integrity Statement with fully completed copies of the Directive 
#1 Checklist plus any additional documentation that the Directive #1 Checklist may require 
should be filed with the Office of the Comptroller and an additional copy sent to the Mayor’s 
Office of Operations. Further instructions, annual reporting requirements and related due dates 
will be included in the annual updates to this Financial Integrity Comptroller's Memorandum. 
Updates to the Directive #1 Checklist will represent current criteria that agency management 
should follow in maintaining a reliable and effective system of internal control. 


Back to the Beginning of the Directive 
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